1 in 10 Employees Has a Stolen Password for Sale Online Today

In the classic folktale, Ali Baba and the 40 Thieves, a band of robbers uses a magical passphrase in order to open up their den of treasures: “Open Sesame!” Unbeknownst to them, a local woodcutter overhears them and uses the same phrase to infiltrate the cave, running off with a bag of gold. While today’s passwords require more than an audible “Open Sesame,” they are still susceptible to the dangers inherent in shared and re-used passwords – especially if those passwords are used to access data in the cloud.

The theft of a username and password in the cloud era is significant because an attacker can gain access to all the data that user has access to in that service; that could include their own data as well as a lot of company data as well.

Troublingly, a study by Joseph Bonneau at the University of Cambridge showed that at least 31% of passwords are reused in multiple places. This implies that, for at least 31% of compromised identities, an attacker could not only gain access to all the data in that cloud service, but potentially all the data in the other cloud services used by that person as well.

Considering that the average person uses three different cloud file-sharing services, and 37% of users upload sensitive data to cloud file-sharing services, the impact of one compromised account can be significant.

Skyhigh investigated this occurrence by looking at anomaly detection data that shows an attacker attempting to log into a compromised account and cross-referencing that against data on user identities for sale on darknet. Here’s what we discovered:

A whopping 92% of companies have users with compromised identities. At the average company, 12% of users have at least one account that has been compromised. At the time of our analysis, we found that some accounts had been updated with new passwords, while many others remained active with compromised identities.

The availability of stolen credentials online is staggering. Anecdotally, we identified one Fortune 500 company with 10,155 compromised identities. Despite all industries being affected, it was real estate, utilities, and high-tech firms that were particularly at risk.

Until more cloud providers enable multi-factor authentication, we recommend users create a unique, strong password for each cloud service and to change each regularly. It’s certainly a strong precaution against identity thieves shouting their own version of “Open Sesame!” and stealing your sensitive data.

See the hard data

To see more data on how the cloud is used by enterprises and their employees today, download our latest Cloud Adoption and Risk report below.

Cloud Adoption and Risk Report Q4 2014

Based on data from over 15 million users, the definitive resource on cloud usage trends and risks.